Scott J. Shackelford2015-03-03T14:20:50-05:00Scott J. Shackelfordhttp://www.huffingtonpost.com/author/index.php?author=scott-j-shackelfordCopyright 2008, HuffingtonPost.com, Inc.HuffingtonPost Blogger Feed for Scott J. ShackelfordGood old fashioned elbow grease.Could North Korea Take Over the Internet?tag:www.huffingtonpost.com,2014:/theblog//3.63616042014-12-21T16:05:19-05:002015-02-20T05:59:01-05:00Scott J. Shackelfordhttp://www.huffingtonpost.com/scott-j-shackelford/
Miller, now a cybersecurity analyst at Twitter, was the first person to break into Apple's iPhone; he discovered a software flaw that would have allowed him to take control of every iPhone on the planet. He has won the prestigious Black Hat cybersecurity competition, among numerous other awards, and worked for the NSA for five years. In 2010, while presenting at a NATO Committee of Excellence conference on cyber conflict in Tallinn, Estonia, Miller conducted a thought experiment -- if he was forced to, how would he go about crashing the Internet and taking control of well-defended computer systems? In the scenario that he imagined, former North Korean leader Kim Jong-Il had kidnapped and induced him to "hack the planet" -- to control as many protected systems and Internet hosts as possible so as to dominate cyberspace. Miller then cataloged all of the steps that would be required to meet this audacious and dastardly goal.

He would need people -- roughly 600 working throughout the world, and a way to communicate with them. The trick would be identifying them -- a task made easier if Miller or another expert in the field was a willing co-conspirator with a North Korean intelligence agency like the Cabinet General Intelligence Bureau.

Miller's army would need funding and "weapons" like botnets, distributed denial of service attacks, bots, and -- above all -- zero-day exploits that take advantage of fundamental flaws in programs. These weapons would often use the Internet, but to complete his hack, Miller would also need to compromise hard, protected targets that are often "air gapped," or not connected to the Internet. High-profile attacks like Stuxnet, the exfiltrated documents published by WikiLeaks, and the 2008 breach of classified U.S. government systems are examples of these types of attacks on supposedly isolated targets. Attackers look for entry points that are poorly defended with the goal of using one host to infect others on the closed network. This could be accomplished by low-tech means, such as through a simple flash drive.

Lastly, Miller would need time. For the first three months, his cyber army would search for vulnerabilities. From three to nine months, zero-day exploits would be identified and used to take over routers. After one year, some hard, protected targets would be compromised. At eighteen months, sufficient zero-day exploits would be found and air-gapped systems compromised to begin final planning. Finally, after two years, the attack could start manifesting itself assuming that no law enforcement agency or other group identified the attackers in the meantime, which is a rather large assumption.

The bottom line, according to Miller, is that the Internet and even air-gapped computer systems may be controlled or crashed for roughly $50 million, which is reportedly less than what North Korea spends on cybersecurity annually. Richard Clarke, among others, has warned that North Korea will not shy away from using its cyber warfare capabilities in a conflict. This danger is posed by other isolated regimes as well, and there is "anecdotal evidence that unknown parties have explored the possibility of disrupting the global network."

Sound ripe for a spy thriller? What is good for genre-writing enthusiasts is rarely an ideal starting point for policymakers. According to some commentators, such narratives merely serve to inflate fears and undermine constructive efforts to enhance cybersecurity, and it is true that such a scenario is highly unlikely. But there is some value to be extracted from this tale. The vulnerabilities that Miller points to are real and require our attention if we are to ensure that fiction does not become reality, and that the most recent cyber attacks on Sony are the end and not the beginning of a new era in state-sponsored cyber attacks.

This post is an excerpt of Scott Shackelford, Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace (Cambridge University Press, 2014), available here.]]>Toward a Positive Cyber Peacetag:www.huffingtonpost.com,2014:/theblog//3.55118772014-06-23T12:13:30-04:002014-08-23T05:59:05-04:00Scott J. Shackelfordhttp://www.huffingtonpost.com/scott-j-shackelford/said, "We have a faith-based approach [to cybersecurity], in that we pray every night nothing bad will happen." Indeed, in just the past few months, it has come to light that nearly half of U.S. adults have been hacked, and the U.S. is not alone. A disgruntled contractor stole the names, credit card information, and social security numbers for nearly half the population of South Korea. China also suffered one of the largest cyber attacks in history last year. In all, cyber attacks have been estimated by McKinsey & Company to cost some $3 trillion in lost productivity by 2020. Some, such as Professor Joseph Nye, Jr. and Secretary General of the International Telecommunication Union (ITU) Hamadoun Touré, and organizations, such as the Vatican's Pontifical Academy of Sciences, though, have called for an approach beyond prayer. They have challenged the international community to consider the meaning of cyber peace at a time of seemingly endless and escalating cyber conflict.

Defining and fostering cyber peace is no easy feat; in fact, it has been said that "achieving and maintaining cyber-peace can be as demanding as starting a cyberwar." What seems clear, though, is that cyber peace is not the absence of attacks or exploitations, an idea that could be called negative cyber peace. Rather, it is the creation of a network of multilevel regimes working together to promote a global, just, and sustainable cyber peace by clarifying the rules of the road for companies and countries alike to help reduce the risk of conflict, crime, and espionage in cyberspace to levels comparable to other business and national security risks. Working together, we can stop cyber war before it starts by laying the groundwork for a positive cyber peace that respects human rights, spreads Internet access along with cybersecurity best practices, and strengthens governance mechanisms by fostering multi-stakeholder collaboration to help engender a global culture of cybersecurity.

Some have argued that achieving cyber peace requires globalizing cybersecurity, along with Internet governance, which is currently the responsibility of numerous stakeholders from the Internet Corporation for Assigned Names and Numbers (ICANN), which is a California-based non-profit responsible for matching IP addresses with domain, to the Internet Engineering Task Force and the Internet Governance Forum. But instead of focusing on a single path to cyber peace, such as a new cyber arms treaty that would face difficulties ranging from politics and enforcement to even defining what constitutes a "cyber weapon," it may be more worthwhile to consider utilizing a range of technical, legal, political, and economic tools potentially couched within a polycentric framework. This is a multi-level, multi-purpose, multi-type, and multi-sectoral model developed by scholars including Nobel laureate Elinor Ostrom and Professor Vincent Ostrom that challenges orthodoxy by demonstrating the benefits of self-organization and networking regulations to address common problems such as cyber attacks. Among its many applications in this space is the finding that "a single governmental unit" is often incapable of managing "global collective action problems" such as climate change, or potentially, cyber attacks. Instead, a polycentric approach recognizes that diverse organizations working at multiple levels can create different types of policies that can increase levels of cooperation and compliance, enhancing regime flexibility and adaptability. Consequently, a top-down approach focused on a single treaty regime or institution could crowd out innovative bottom-up best practices developed organically from diverse ethical and legal cultures.

Active and important debates are ongoing about what is the best that we can reasonably hope for in terms of "peace" in cyberspace. But even though a grand Internet governance and cybersecurity bargain looks unlikely in the near term, concrete steps may be taken now to reduce cyber risk to all parties while raising the cost to attackers. These include the cyber powers creating a "Cybersecurity Forum," similar to the Major Emitters Forum in the climate change context, which could begin by clarifying norms to secure critical international infrastructure such as the global financial system, air traffic control, and the energy sector. Sanctions and countermeasures could be levied against nations and private organizations that launch cyber attacks against these or other critical systems. Legal assistance treaties could be strengthened and forums created to help prosecute attackers when national courts are unable or unwilling to exercise jurisdiction. Cybersecurity could also become more central in trade and bilateral investment treaty negotiations so as to better protect trade secrets, which may be occurring in current U.S.-China discussions. Stakeholders could even make effective anti-malware and anti-spyware tools available for free along with open source encryption technologies to better safeguard private data, which would have the added value of helping to rebuild the reputation of U.S. technology firms that have been tarnished in the wake of disclosures from former Booz Allen systems administrator Edward Snowden. None of these suggestions are a magic bullet, but together they can begin the process of building a positive, global culture of cyber peace. Engaging in a constructive dialogue is critical to harmonizing divergent approaches to governance and reaching a middle ground between Internet sovereignty and freedom that both respects human rights and secures vital systems. Though a little prayer couldn't hurt, too.

First published by the Notre Dame Institute for Advanced Study here. For more on this topic, see the new cybersecurity law and policy book from Cambridge University Press, "Managing Cyber Attacks in International Law, Business, and Relations: In Search of Cyber Peace."]]>Why Ignoring the NIST Framework Could Cost Youtag:www.huffingtonpost.com,2014:/theblog//3.52441122014-05-02T12:29:09-04:002014-07-02T05:59:03-04:00Scott J. Shackelfordhttp://www.huffingtonpost.com/scott-j-shackelford/Co-authored by Andrew Proia

Last week, the much anticipated (at least in the, let's face it, relatively small and quirky circles that pay attention to this stuff) NETmundial meeting on the future of Internet governance wrapped up in Brazil. The conference helped to entrench a growing consensus surrounding the multi-stakeholder model of Internet governance, along with calling for a "secure, stable, resilient, [and] reliable" cyberspace. One of the recent paths toward enhancing cybersecurity, at least in the United States, has been the 2014 NIST Cybersecurity Framework. The Framework harmonizes consensus standard and industry best practices to provide, its proponents argue, a flexible and cost-effective approach to enhancing cybersecurity that assists owners and operators of critical infrastructure in assessing and managing cyber risk. But even though it's voluntary, ignoring it may prove costly.

Reactions to the NIST Framework have been mixed. From its inception, the Framework has been developed with an aim toward creating a robust method of addressing critical infrastructure cybersecurity concerns without enacting binding (and potentially cumbersome) regulatory requirements. Proponents suggest that market-based incentives and support through the Department of Homeland Security's Critical Infrastructure Cyber Community Voluntary Program (referred to as the "C-Cubed" Program) will help encourage organizations to adopt the Cybersecurity Framework. However, while market-driven incentives may play a role, it's likely that avoiding liability may be a primary driver in firm decision-making. Negligence lawsuits in particular could use the Framework to shape reasonable standards of cybersecurity.

Negligence, put simply, is the "failure to behave with the level of care that someone of ordinary prudence would have exercised under the same circumstances." Negligence liability and data security have had a very checkered past. Article III standing requirements and the "economic loss doctrine" have often allowed courts to avoid articulating two crucial elements in a negligence security case: (1) whether a defendant owed a duty to provide reasonable level of cybersecurity care, (2) and whether that duty of care was breached. However, the potential for lax security measures in critical infrastructure organizations to hurt the public health, safety, or welfare could overcome some of these hurdles. Additionally, recent cases have signaled a shift in how courts approach these cases, causing some to suggest that we stand at "the dawn of a new era of cybersecurity tort liability."

As courts begin to shape a cybersecurity duty of care in this "new era," the NIST Framework could be used to determine whether a company's duty has been successfully met. Some approaches to determining what constitutes a reasonable standard of care rely on a "risk/utility formula" that weigh the probability that an injury will occur and the gravity of the resulting injury against the burden of a company to implement adequate precaution. The Cybersecurity Framework could provide a new basis on which courts utilize the formula, particularly in determining how "adequate" the Framework might have been to prevent alleged harms and the "burden" on an organization to implement the Framework. A more common approach, however, has been to rely on "industry standard" practices as the reasonable threshold. For instance, the Southern District of California suggested in the ongoing case In re Sony Gaming Networks and Customer Data Security Breach Litigation, that Sony's failure to employ industry cryptology standards during its massive 2011 data breach was enough for plaintiffs to allege that Sony breached its duty to employ reasonable data security measures. Again, with the goal of the Administration and the C-Cubed Voluntary Program to increase adoption of the Framework, we could see a movement toward consensus industry standards.

Some have suggested that failure to implement the NIST Framework could create a "presumption of negligence," should an incident occur. That's definitely a possibility. But the Framework could also act as a form of security "safe harbor" for companies. Companies may look to the Framework for its use as a liability shield, arguing that, despite the occurrence of cyber attacks resulting in harm, an organization's utilization of the Framework translated into reasonable security measures under the circumstances and could therefore remove liability. In other words, the NIST Framework can be thought of as both a sword and a shield. Either way, it's worth paying attention to in the United States and beyond.]]>On Zombies and Cyber Attackstag:www.huffingtonpost.com,2014:/theblog//3.48093452014-02-18T17:17:42-05:002014-04-20T05:59:01-04:00Scott J. Shackelfordhttp://www.huffingtonpost.com/scott-j-shackelford/reportedly penetrated the system to issue a "bogus zombie alert" in yet another "disturbingly common" episode showcasing the myriad vulnerabilities buried in "critical systems throughout [U.S.] government . . . ." Aside from being fodder for bored hackers, such weaknesses can be exploited by cyber criminals, terrorists, and nation-states, which makes securing "critical infrastructure" a key test of effective cybersecurity policymaking. Thus far, though, it is a test that many nations, including the United States, the United Kingdom, and India, are failing. However, the release of the National Institute of Standards and Technology (NIST) Cybersecurity Framework could signal a new chapter in securing critical infrastructure not only in the United States, but also in the European Union and potentially around the world.

Nations are taking varying approaches to enhancing critical infrastructure cybersecurity. What has emerged is a governance spectrum with the United States, United Kingdom, and India preferring a more voluntary approach, while other cyber powers, including China, are opting for a larger role for the state. The European Union so far seems to fall toward the middle of the spectrum, with calls for establishing "appropriate cybersecurity performance requirements" as well as mandatory reporting for cyber attacks having a "significant impact" on firms operating across a broad array of sectors.

Time and experience will demonstrate whether a more voluntary or regulatory approach is more effective at securing critical infrastructure. The former, for example, holds the benefit of innovation through experimentation, but the lack of enforcement mechanisms can make the uptake of best practices haphazard. Consider the electric grid. The United States has more than 3,200 independent power utilities, unlike Germany, which has four major providers. Organizing the efforts of a handful of utilities is a far easier undertaking than ensuring the uptake of best practices across thousands of disparate actors.

To help realize the promise of a largely voluntary approach of securing critical infrastructure, President Obama issued an executive order that tasked NIST with developing the Cybersecurity Framework in February 2013, which promises to be a "prioritized, flexible, repeatable, and cost-effective approach" to help "manage cybersecurity-related risk while protecting business confidentiality, individual privacy and civil liberties." Many commentators have gauged this effort as falling short of what is required, but it could help shape a cybersecurity duty of care.

Over time, the Framework could shape the cybersecurity reform efforts of other nations and regions, including India and the European Union, where it has already peaked the interest of E.U. policymakers. Evolving cybersecurity best practices could even be made enforceable through industry councils similar to the process by which norms from the nonprofit North American Electric Reliability Council became binding through Congressional action in the wake of the 2003 northeast blackout. One hopes that it will not take a major cyber attack, or a zombie invasion, to galvanize similar action to enhance security for critical infrastructure.

#

For further information on this topic, see MANAGING CYBER ATTACKS IN INTERNATIONAL LAW, BUSINESS AND RELATIONS: IN SEARCH OF CYBER PEACE (Cambridge University Press, forthcoming 2014); Beyond the New 'Digital Divide': Analyzing the Evolving Role of Governments in Internet Governance and Enhancing Cybersecurity, STANFORD JOURNAL OF INTERNATIONAL LAW (2014).]]>Time for a South China Sea Counciltag:www.huffingtonpost.com,2013:/theblog//3.34425292013-06-18T18:05:08-04:002013-08-18T05:12:01-04:00Scott J. Shackelfordhttp://www.huffingtonpost.com/scott-j-shackelford/at least for now, and the Arctic Circle is home to only some 4 million people, whereas the South China Sea is the second most used sea-lane in the world and is bordered by 10 nations with a combined population of approximately 1.9 billion. But dig deeper and similarities multiply. Both areas, for example, contain significant resources, and as a result are confronting territorial disputes. Yet while the Arctic States have been able to keep the peace and move toward sustainably developing an area that could be home to 25 percent of the world's undiscovered oil reserves through the regional Arctic Council, the South China Sea has been described as a "powder keg." The time has come to apply the lessons of the Arctic and form a South China Sea Council (SCSC).

The Arctic Council was established in 1996 as a forum for promoting cooperation between the Arctic bordering states, which include Canada, Denmark, Finland, Iceland, Norway, Russia, Sweden, and the United States. The original aims were modest, including conducting joint scientific studies on climate change, petroleum drilling, and Arctic shipping. It was not until 2011 that the first binding treaty came into effect involving search and rescue. Now, though, the importance of the Arctic Council has reached a tipping point. Last month, the Council met and admitted five Asian states as observers, including Japan, India, China, South Korea, and Singapore, with the EU's application pending, at an event attended by U.S. Secretary of State John Kerry.

Starting small and building on common ground, such as sustainable development and search and rescue, has proved to be an effective catalyst enabling the mission creep now evident in the Council. At the last meeting, a new agreement was signed on oil pollution and emergency preparedness. In short, as was reported by Heather Exner-Pirot in the Arctic Dispatch, "[t]he Arctic Council has come of age. It is productive and collegial. It focuses appropriately on common environmental security challenges, and it is making good progress on addressing these." Can the same be accomplished in the South China Sea?

The story of the Arctic Council should inform efforts to improve regional cooperation in the South China Sea. China, Taiwan, Vietnam, Malaysia, Brunei, and the Philippines, for example, could begin by working on common environmental concerns such as marine pollution in the same way that the Arctic countries signed the Arctic Environmental Protection Strategy in 1991, which became a stepping-stone to the formation of the Council. The South China Sea nations could then establish a Council with a limited mandate, such as the sustainable development of the area, and work toward agreements on scientific collaboration and issues such as search and rescue before moving on to more difficult territorial and security concerns.

Even though the Arctic Council enjoys a limited mandate from its member states, it has been successful at environmental governance and diffusing tensions in a potentially volatile region. The Council has already achieved considerable success in generating knowledge about the Arctic and bringing added attention to the region in global forums. Although the analogy is certainly not perfect, the United States and other Arctic nations should encourage the South China Sea nations establish a SCSC without delay. With some luck, a pole of peace could be replicated to cool tensions in a regional hotspot. And you never know, before long the Arctic nations could be applying to the SCSC for observer status.]]>The Coming Age of Internet Sovereignty?tag:www.huffingtonpost.com,2013:/theblog//3.24207192013-01-10T18:59:08-05:002013-03-12T05:12:02-04:00Scott J. Shackelfordhttp://www.huffingtonpost.com/scott-j-shackelford/Twilight series to Battlestar Galactica. But dig deeper, and differences multiply. A search in early 2011 revealed only a single hit for "human rights in China": Alexandra Harney's The China Price. Perhaps most telling was a query conducted by the New York Times in 2010 for "censorship" and "China," that returned a result for a book entitled, When China Rules the World.

What does such censorship mean for the rest of the world's Internet users? If the worst predictions of the recently concluded World Conference on International Telecommunications (WCIT) are correct, the Internet experience in more countries could resemble that of China, threatening the dawn of a new age of Internet sovereignty. But such dire warnings may be simplistic and overblown.

The WCIT was held under the auspices of the International Telecommunication Union (ITU), which is a UN body responsible for managing its namesake -- information and telecommunication technologies. In recent years, the ITU has moved towards the center of a debate about how the Internet should be managed, offering an institutional alternative to the collection of private sector actors, such as ICANN, that largely manage the Internet today. Ahead of the WCIT, the secretary general of the ITU, Hamadoun Touré, assured stakeholders that the ITU was not interested in making a power grab for Internet governance. But things turned out differently.

During the WCIT, 193 countries worked to revise the International Telecommunication Regulations (ITRs), which were written in 1988 to "define the general principles for the provision and operation of international telecommunications." Vinton Cerf, the "Father of the Internet," told Congress that new ITRs could undermine the Internet's openness and "lead to 'top-down control dictated by government.'" Numerous U.S. congressional representatives expressed similar sentiments.

To some degree, these concerns seem to have been born out. Eighty-nine countries signed the WCIT final resolution that on the one hand embraces multilstakeholder governance, but on the other determines that "all governments should have an equal role and responsibility for international Internet governance and for ensuring the stability, security and continuity of the existing Internet." This language seems to herald a growing state-centric view of cyberspace held by many nations, especially in Asia (with the notable exceptions of India, Japan, and Australia) and Africa. Such a view could lead to more regulations on content -- what we generally think of as censorship -- among other restrictions. Indeed, there is a key distinction between how the United States and other countries, such as China, claim to view cyberspace - but the situation is not as black and white as it may first appear.

The United States has a stated policy of promoting a single global networked commons where freedom of speech is sacrosanct -- even as the White House has sought the ability to monitor that speech through stepped up wiretapping. Indeed, the Obama administration has promoted Internet freedom abroad, but content is not insulated at home. For example, Google publishes information about governments that have requested information about its users or asked it to remove content. According to a June 2012 Global Transparency Report, between July and December 2011, Google received 1,000 such requests and complied with over half of them. These included Western democracies like Spain, Poland, and the United States, the latter of which it reportedly submitted more requests than any other country.

China, on the other hand, along with many other nations, is viewed as building digital barriers in the name of Internet sovereignty. Consider the case of Iran, which reportedly is building a national network detached from the global Internet to enhance governmental control of information and potentially better guard against cyber attacks. And while Iran's efforts are more extreme than many nations, it is not alone. Ethiopia, Cuba, and more than 40 other nations now routinely monitor Internet traffic. These nations are part of a growing club that seems to balk at the notion of Internet freedom.

But this debate between Internet freedom and sovereignty is an oversimplification and ultimately a false choice. Instead of a black and white comparison, what may be more accurate is investigating the 50 (or potentially 193) shades of gray that comprise the complexion of global Internet regulations to find common ground. Even if we are not heading for an age of outright Internet balkanization, we may be in for a period of greater state involvement in Internet governance. The open questions are: what costs will this impose in terms of innovation and interconnectedness, and how can we manage the growing reach of the leviathan to minimize distortions and protect civil liberties?

The United States contributes to this debate by trumpeting Internet freedom and the benefits of a more decentralized approach to Internet governance. These calls were not heeded at the WCIT, but that does not mean that it is time to disband the ITU. At most, the non-binding WCIT resolution helps provide legal cover for countries that are already taking a heavier hand in Internet governance. This trend would not stop with the demise of the ITU. Yet it is also true that the fact that the ITU is a state-centric UN organization with a circumscribed role for the private sector that militates against expanding its scope.

An opportunity to instill the Internet freedom agenda may have been missed at the WCIT, but that does not mean that the Internet as we know it is over. Instead, it should be taken as a call to action for Western nations, including the United States, to practice what we preach, and to work with our partners around the world to build consensus on the future of Internet governance in an increasingly multipolar world.

Scott Shackelford is an Assistant Professor of Business Law and Ethics at Indiana University-Bloomington. He is also a fellow at the Center for Applied Cybersecurity Research, and the author of the forthcoming book, Managing Cyber Attacks in International Law, Business and Relations: In Search of Cyber Peace.]]>How to Enhance Cybersecurity and Create American Jobstag:www.huffingtonpost.com,2012:/theblog//3.16738602012-07-16T14:10:13-04:002012-09-15T05:12:02-04:00Scott J. Shackelfordhttp://www.huffingtonpost.com/scott-j-shackelford/
As its most basic level, the Internet is composed of a series of cables, computers, and routers. Innocent or malicious hardware flaws in this physical infrastructure can give rise to myriad vulnerabilities. As Richard Clarke and Robert Knake explain in Cyber War: "What can be done to millions of lines of code can also be done with millions of circuits imprinted on computer chips inside computers, routers, and servers." In other words, hackers can not only attack your computer system by sending you a virus-infected email, but also by altering a tiny circuit in a chip you'll very likely never even see.

Consider the recent findings of a University of Cambridge team that a computer chip in the Boeing 787 Dreamliner is vulnerable and could allow hackers to reprogram the chip or cause permanent damage over the Internet. Boeing is not alone.

The U.S. Department of Defense's commercial-off-the-shelf (COTS) program was intended to help drive down costs for proven technologies by using state-of-the-art commercial systems in lieu of the cost-plus-award-fee method that covered contractors costs and paid them a profit. The advantages of COTS are self-evident, but with a COTS item -- such as Dell computer hardware, which is widely used by the Department of Defense -- the government cannot monitor the manufacturing process. Thus, the true cost of COTS lies in the vulnerabilities that it introduces into critical national infrastructure. For example, DoD purchased 2,200 Sony PlayStation 3s in 2009 to provide cheap processing power for a military supercomputer. But these systems are often manufactured abroad, including in China. U.S. government reports have cited supply chain concerns for hardware, claiming that components embedded with security flaws have been found. Kill switches could be installed in Pentagon networks to power down critical systems by remote control as a prelude to an attack.

Once compromised, hardware is often in the hands of an unknowing user. Few hardware vulnerabilities are likely to be discovered and fixed -- and even fewer are likely to be attributed to a cyber attack. Circuits leave physical trapdoors, but as with code, most experts cannot easily detect flaws in a computer chip. Producing a microchip alone requires over 400 steps opening up numerous opportunities for exploitation.

Grasping best to how manage hardware vulnerabilities is difficult since the current supply chain involves many companies, operating in many countries. But there are not enough U.S. manufacturers to allow the Pentagon to buy domestically. Despite years of trying, still only two percent of the integrated circuits purchased by the DoD are made in the United States, with the majority coming from Asian nations with track records of "unambiguous, deliberate subversions" of computer hardware, according to a White House report.

What can be done then to secure U.S. critical hardware? New add-on security features are needed to safeguard systems, as is better quality control and more domestic sources of key components. The DoD, for example, should revise its COTS policy and make a longstanding commitment to U.S. firms to purchase critical electronic components domestically. This would have the duel benefits of being a boon to the U.S. electronics industry thereby creating good U.S. jobs as well as promoting cybersecurity. Though not a perfect solution since domestically produced hardware may still be vulnerable, it would be a vast improvement on the status quo.

There is some evidence that firms are beginning to take hardware vulnerabilities seriously. NBC and Google, for example, are planning "war games" ahead of potential hardware disruptions in Olympic Games streaming. Congress should take note. Partisan gridlock should not scuttle reform -- cybersecurity is not a liberal or conservative issue, and the time for action is now. Cybersecurity legislation being debated should include provisions for securing critical U.S. hardware such as amending COTS as a necessary first step toward enhancing cybersecurity and fostering cyber peace.

Scott Shackelford is an assistant professor of business law and ethics at the Indiana University Kelley School of Business. He is also author of the forthcoming Cyber Peace: Managing Cyber Attacks in International Law, Business, and Relations (Cambridge University Press).]]>In Search of Cyber Peace: A Response to the Cybersecurity Act of 2012tag:www.huffingtonpost.com,2012:/theblog//3.13825522012-03-27T11:37:29-04:002012-05-27T05:12:02-04:00Scott J. Shackelfordhttp://www.huffingtonpost.com/scott-j-shackelford/The Cybersecurity Act of 2012 recently introduced in the Senate Homeland Security and Governance Affairs Committee has been touted as the latest bipartisan attempt to enhance the nation's cybersecurity. If enacted, the bill would grant new powers to the Department of Homeland Security (DHS) to oversee U.S. government cybersecurity, set "cybersecurity performance requirements" for firms operating what DHS deems to be "critical infrastructure," and create "exchanges" to promote information sharing. In its current form, the bill is a useful step in the right direction but falls short of what is required. Fundamentally, the bill misconstrues the scale and complexity of the evolving cyber threat, defining critical infrastructure too narrowly and relying too much on voluntary incentives and risk mitigation strategies. In this, it might improve on the status quo, but it will not foster genuine and lasting cybersecurity.

Dozens of bills have been proposed over the years to shore up U.S. cybersecurity. None have so far been enacted, or even reached the floor for a vote, in part because legislation dealing with cybersecurity faces daunting prospects on Capital Hill given that the issue involves over 40 committees. How does this Act stack up against past cybersecurity reform efforts? There are more similarities than differences. Information sharing remains voluntary. Tax breaks for upgrading cybersecurity defenses are glaringly absent, even though the 2011 House Cybersecurity Recommendations encouraged Congress to consider expanding existing tax credits. Audits would be conducted by the firms themselves and self-reported. But there are a few glimmers of hope.

One is the focus on critical national infrastructure (CNI), which is encouraging given its importance to U.S. national security. But what exactly constitutes critical infrastructure? There's little agreement. The original President's Commission on Critical Infrastructure Protection identifies five such institutions; the European Commission identifies eleven. When the U.S. Department of Defense unveiled declassified portions of its strategy for cyberspace, Deputy Secretary of Defense William J. Lynn announced that everything from the electric grid to telecommunications and transportation systems constitute critical national infrastructure, stating that a cyber attack against "more than one [of these networks] could be devastating."

How does the Cybersecurity Act treat this thorny issue? The bill designates an industry as "critical" by deciding whether "damage or unauthorized access to... [a] system or asset could reasonably result in... the interruption of life-sustaining services... ; catastrophic economic damages to the United States... ; or severe degradation of national security." But the Act omits "information technology products," including both hardware and software. These exceptions hamper the effectiveness of the bill, and are a result of kowtowing to industry. There are multiple vulnerabilities even in protected systems, and attackers can enter just as easily through compromised commercial hardware as they can through a virus. Recent reports have cited supply chain concerns about hardware and have found components embedded with security flaws.

Despite the watering down of the Cybersecurity Act, there are signs of further backpedaling. Senator McCain and a group of seven other senators have introduced a competing cybersecurity bill, the SECURE IT Act, which would give DHS less regulatory power over private businesses managing critical infrastructure and grant the National Security Agency more authority to manage cyber attacks. But the legislation has been criticized for being too weak on security given its over-reliance on voluntary information sharing. The debate continues, especially given concerns of over-regulation, privacy and civil liberties protections, though some of these concerns are tempered by procedures that the DHS is charged with developing under the Cybersecurity Act.

In 3001: the Final Odyssey, Arthur C. Clarke envisions a future in which humanity had the foresight to rid itself of the worst weapons of mass destruction that it had created and place them in a vault on the Moon. A special place in this vault was reserved for the most malignant computer viruses that, in his speculative fiction, had caused untold damage to humanity over the centuries. Before new cyber attacks do untold damage to our Information Society, it is in our own best interest to educate and regulate our way to a steady state of cybersecurity where we can all enjoy the benefits of an open and secure cyberspace. Part of this process involves broadening the definition of CNI in the Cybersecurity Act and deepening public-private partnerships, including more robust information sharing. If there's one thing that science fiction has taught us, it's the wonder of the future, both good and bad. Whether or not that future includes the security and prosperity of cyber peace is up to us, including for better or worse the U.S. Congress.